Tough challenges ahead for new Data Protection Commissioner

We now know who has replaced former Commissioner Billy Hawkes, who retired from the role in August: civil servant Helen Dixon, who up until now has been registrar with the Companies Registration Office.

Prior to that, she was a principal officer in the Department of Enterprise, Trade and Innovation. She also worked for US technology company Citrix at its Europe, Middle East and Africa office in Ireland, as manager of Technical Support Services.

Pivotal point

She comes to the role at a pivotal and daunting point. Never have the issues of data protection and personal privacy had such high profile. Along with media coverage of repeated breaches of data in this country and internationally, the general public has had more than a year of leaks from the trove of documents obtained by former US government contractor and whistleblower Edward Snowden.

Those – revealing a shocking degree of large scale surreptitious digital data gathering on ordinary citizens by US and UK surveillance agencies – have rattled international relations.

In particular, the revelations have spurred the EU to push for more restrictions on access to its citizens’ data and greater national and international oversight.

On the US side, elected representatives, privacy organisations and the general public have demanded explanations and more transparency in how law enforcement agencies acquire and use personal data.

And, somewhere in the middle, with their exact involvement still a mystery, sit many multinational companies – especially in the technology and online sector – which handle teraflops of data from customers and service users around the world, every day.

Some are known to have passed data to US agencies, with many of these continuing to request they be given permission from the US government to reveal more about what they are asked for, and when and how they complied. Others state they had no idea US and UK agencies were siphoning off their users’ data.

In this tense atmosphere, the EU has signaled that it will bring in a more restrictive and clearly defined Data Protection Regulation next year. This must by transposed directly, not piecemeal as had been the case with the existing directive, which came out of legislation in a pre-internet era.

All indications are that the EU will require data misuse complaints against companies be referred to the Data Protection Commissioner in the EU state in which the company has its European headquarters.